This vulnerability allows bypassing authority checks that exist before
executing a transaction. A transaction in SAP terminology is the
execution of a program.

By exploiting this vulnerability, an attacker can also control the
transaction to be executed, allowing it to obtain critical rights in
the system and bypassing certain segregation of duties (SoD)
restrictions.

Although this vulnerability is found in the SAP industry solution for
healthcare, the functionality is also present in the SAP ERP central
component (ECC 6). Thus, customers in other industries are also
affected.